Contact Personal Projects Search Weblog

You are here: Chris Reece/Blog/PCA vs. EIS

PCA vs. EIS

Last updated: Sat, 01 Sep 2007 16:46:00 GMT

I work in an environment that's considered to be secure, because it's isolated. It's also considered highly stable, because it's never patched.

If it ain't broke, so the saying goes, don't fix it. Stability does not come from applying the latest and greatest patches to your servers every night. They might be up to date, but apart from the fact that you'll be rebooting them for single-user patches every few days, you're presenting your users with a terribly fast-moving target, and you're opening yourself up to the inevitable mistakes that the suppliers of your patches will make. They're human.

On the other hand, I'm firmly of the belief that security doesn't stop at the border and that there's a bare minimum of patching that just has to be done; a level that must be maintained. In my humble opinion there's little excuse for being years behind current. If your environment requires high uptimes, there are better solutions, with side-benefits, than switching your servers on and never touching them again.

Sun release patches on an almost continuous basis, and a number of tools for helping you keep your servers up to date. I'm not a big fan of their tools, to be honest. There's a better way, and that way is PCA.

Before a friend turned me on to PCA, I'd dallied with with Sun's smpatch, but found it painful; slow and obstructive. Before that, I used Sun's published "recommended" patch sets. Every once in a while, they release patches as sets, for download via SunSolve, and also on their "EIS" DVDs, along with a host of other goodies. These sets of patches are tested together rigourously, and it takes some time before a regular patch can make its way into the recommended set, if ever. As such, the sets released represent a happy medium, a balance between a solid base-line and a reluctance to change the operating environment for no good reason.

They have their problems though, or did — it's some time since I suffered one. They're large, realistically have to be copied around in toto and dumped somewhere single-user safe. They take an age to apply, and much of that time, single-user time, may be wasted finding out that 75% of the patches are not required.

As a result, a lot of people fall into the practice of applying the recommended set at the time the server is commissioned, and then cherry-pick their patches as necessity dictates, promising themselves that they'll get round to applying another base-line set in six months or so. Or so.

So when we inherited our current environment, we decided that we really needed to find that balance. We needed to get everything reasonably up to date, and we needed a way to do that which would lend itself to continued good practice; something that would make it easy to get up to date now, and easy to keep up to date, at three- or six-month intervals. I suggested PCA, of course.

PCA is quite happy analysing the current machine's patch levels and comparing them to the current patchdiag.xref. It's happy to download only the files you need to get your machine up to date. It's happy to apply only patches that don't require a reboot, or single-user installation, so that you can get some of the job done without any downtime. Sounds good to me.

How to go about it, though? With no external Internet access, we can't go to SunSolve, so as well as being the source of our all-controlling patchdiag.xref file, our EIS DVD has to be the source of our patches too. The structure of the DVDs is a little messy, with many patches in the tar.bz2'd recommended patch sets, but a lot of other patches, including security patches, tucked away in other directories. There's a fair bit of duplication for good measure. Also, the patchdiag.xref file is large, and contains references to many patches that are, by necessity, not on the DVD.

Enter Perl, in the form of mkpcadir. It took a couple of hours to scratch up a proof of concept, and then a few more hours to tidy up, and to correct my foolish initial assumption that the recommended patches would probably be duplicated elsewhere on the DVD, not tucked away in the recommended archives.

Operation is pretty simple, and the details are on the mkpcadir project page. It takes a fair amount of time to suck all of the patches off the DVD, and can take some time to unpack all of the recommended archives then translate the patches found within into individual archives. But the result is just what we were looking for: a single directory containing every patch found on the DVD that's referenced in the xref file, and an xref file that only references the patches found in that directory.

A simple snippet of Apache2 setup on our chosen distribution server: 

Alias /patches/ "/export/patches/htdocs/"

<Directory "/export/patches/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

allows us to stick multiple sets on there, with our current favourite singled out by a symbolic link: 

bash-3.00$ ls -l /export/patches/htdocs
total 296
drwxr-xr-x   2 root     root       37888 Aug 31 15:49 2007-04
drwxr-xr-x   2 root     root       38400 Aug 31 16:31 2007-05
lrwxrwxrwx   1 root     root           7 Aug 31 09:49 current -> 2007-05
-rwxr-xr-x   1 root     root       66797 Aug 31 10:15 pca
-rw-r--r--   1 root     root         103 Aug 31 10:15 pca.conf

We can then distribute the PCA client and a simple /etc/pca.conf file like this one: 

xrefurl=http://192.168.1.7/patches/current/
patchurl=http://192.168.1.7/patches/current/
patchdir=/var/pca

From here on in, it's all plain sailing, PCA-style, and everything works as it would normally, except that you're comparing against and patching up to the EIS patch set of your choice, not live information direct from SunSolve.

To compare your server with the recommended and security patches of the EIS set of your choice, and then download those patches that you're missing: 

pca missingrs
pca --download missingrs

Then run through the missing patches, checking for any problems and identifying those that'll need a reboot. If you're happy, install those patches that don't require reboot: 

pca --pretend --noreboot missingrs
pca --install --noreboot missingrs

Finally, take the server down to init 1 however you like and then install those that are remaining with: 

pca --install missingrs

Obviously, that's a vast over-simplification, but if you need some more tips on driving PCA, the official website is the best place to start.

Copyright © 1996 - 2010 Chris Reece
Designated trademarks and brands are the property of their respective owners.

XHTML